Posts

My son’s now into Minecraft. I set up a Docker-based server for him, & discovered that he was running Minecraft Windows 10 Edition. This uses the same API as Minecraft Pocket Edition, which is not the same as Notch‘s standard Java-based Minecraft. For this reason, my first attempt at running a server worked only on my son’s PC when he remembered to run the Java-based game.

So I ran a Minecraft PE server. This was wonderfully easy but for actually starting the damn thing in a forked process. After multiple permutations of setsid, & and parentheses, this was the only command that actually forked successfully on Amazon’s default CentOs:

1

nohup setsid./start.sh&

Share this:

Like this:

If ever I wondered what being on the receiving end of nervous smugness was like, today I can wonder no more. Some exponents of the Leave campaign on Twitter have today furiously denied the fact that the UK needs the EU more than the EU needs the UK because of the EU having more deficit. I guess we’ll find out what nonsense that is shortly.

The next pro-Brexit lie to contend with is that the triggering of Article 50 is irrevocable. Hopefully there are some who in the next 2 years can disabuse all of this misconception.

Share this:

Like this:

Because I don’t follow security advisories religiously, & check my site certs only when I think I need to (i.e. a little time before they expire), I missed the near unanimous decision to distrust StartCom as a Certificate Authority. Instead, I found out by attempting to show a friend my evolution simulator. My recently updated Android Firefox browser showed me a certificate warning despite the fact that my cert should have been good until 2020. Aiiee! Since I was at the 2017 Bosch Hackathon, I was a little busy to do anything about it until later. What a keen site maintainer I am (not).

Referring to my earlier experiences on this topic, I see that Eric Mill is a much better man than I, and has already been advising people against using StartCom certs since last year.

I chose to use Let’s Encrypt to generate my new certs. My hosting provider, 34sp.com, provides integrated Let’s Encrypt support, but this would not cover all the subdomains I wanted out of the box. I also do not have direct ssh access to my box, opting for a cheaper shared server. Instead, I installed certbot,

Because certbot needs to verify my ownership of each subdomain, & some subdomains I wanted a cert for don’t have a server behind them, I used DNS TXT entries.

DNS TXT entries don’t update immediately, so I used MXToolBox’s outstanding DNS text lookup tool. This meant I could tell certbot to verify my DNS TXT for a given domain only after that value had been successfully published.

After using this for a while, I found whatsmydns.net more useful, as it makes multiple queries, & you can view how your DNS update is propagating.

In the future, I should be able to renew this cert by simply running:

1

$sudo certbot renew

All that was left was a simple matter of uploading the cert using the site management tools & I’m your uncle, or something. Please don’t call me Bob.

Addendum

This part is likely only of interest to me.

The DNS TXT entries confuse subnet resolution. Prefixing them prevents this confusion, but I’m sure there must be a better way to do this. I’ll have to remember to remove the prefix the next time I want to update my cert.

A better way to do this

As I mentioned, there has to be a better way to do this. My DNS records contains an asterisk (*) term for the base hostname. Adding an explicit subdomain name, like _acme-challenge.blog, means that the “blog” part of that subdomain becomes explicit. There’s no explicit definition of the address of blog, so the DNS behaviour is to return unresolved. I solved this by explicitly pointing blog to my server address. This at least means that I don’t have to do anything silly, like breaking my DNS for every subdomain next time I want to renew my cert.

A better better way to do this

Instead of adding an address resolution record, I can add a canonical name record (CNAME) for blog, resolving to the root domain, which can then be resolved to the server address.

This is better because it’s easier for me or others to update the server address then. Hooray. Probably anyone who knew anything about DNS could have figured this out way quicker than I have. Hey-ho. It works.